Virtually all card issuers support AVS (Address Verification System) in US, UK and Canada. In other countries, it's less reliable. AVS checks only the numeric portion of the street address and postal code, and returns a code indicating whether AVS is supported and whether one or both of the numbers match the ones on file with the card issuer.

Stripe supports AVS the same as other processors. Whether you choose to reject cards that don't pass AVS is up to you: it's a setting. So is which of the codes you want to reject. That's the case at every payment processor I've used. Different businesses, collecting cards in different scenarios, are going to have different risk profiles and different needs. If you're running a store selling computers to strangers over the internet, you probably want full AVS in addition to other fraud checks. If you're taking an invoice payment from another business you've worked with for years, you might not want to bother collecting and verifying an address.

Also, depending on your processor the business' rates may vary depending on how much extra information they provide to help combat fraud. Ex: If you only give credit card info you might be in the highest bracket. If you also give zip code, you'll get dropped down to the next, etc.

Names and addresses are extremely difficult to verify as spelling, abbreviations, etc. can all come into play.

With that said, about 3 months ago I was having problems reloading my Starbucks card with my credit card. The charges would go through on my credit card, the balance wasn't updating on my Starbucks card, and Starbucks system got stuck in a loop somewhere and kept taking money out off my card until I called my bank to get them to stop approving the charges altogether. Long story short, I called Starbucks and after about an hour the poor girl on the phone told me they had implemented increased fraud protections that compared the name on your Starbucks card to the name on your credit card. Because my credit card used my full name and my Starbucks card didn't the balance wasn't getting transferred over and was getting stuck in a loop somewhere. Not sure how they were doing the name verification or if they were just doing a simple compare in house, but needless to say was a little frustrating.

There are many services that will do data sanitation. It can be difficult but certainly seems in the purview and capabilities of a $170 Billion company (visa).

You can get pretty far with with fuzzy matching or just a simple levenshtein distance between name on record and name sent with order.

I understand UPS is probably not the most popular name around here, but their address API is actually quite good. I would also trust them with the data quality as they actually got real people verifying the addresses when packages are delivered.

Why isn't UPS popular around here?

Is that available to all accounts?

It's up to the merchant / intermediary party to specify how much validation they want. Yes, you can choose that only card number & expiry have to be correct, or you can go the whole 9 yards and want name & address to be correct.

This isn't a Stripe-specific case. Moneris, a card processor in Canada, has a bunch of fields that a merchant can check on/off if they want them to validate the details during payment.

But you're right - if the validation isn't happening, why bother collecting the data? At the very least it might hurt conversion rates.

People are going to feel unsafe not giving you that information but also a credit card. (Which is pretty fair...)

This is correct.

A merchant can play a balancing act between having limited validations but a higher processing success rate against the chance of a higher dispute rate.

From my experience with our card processor (not stripe):

1) They have AVS checks, which can check the street number and zip code. But its up to us to decide what to do with this information (e.g. void the transaction).

2) They do not check anything else (country, name, state, phone, email, etc).

3) Some cards will fail if you put in the wrong expiration date, some won't - I would guess this is up to the card being charged. I get no information back when its incorrect but they let the charge go through.

4) Some cards will fail if you put in the wrong cvv code. Some will succeed but will just let you know through another field that the cvv code doesn't match - its up to us to decide what to do (e.g. void the transaction).

> Try for yourself next time you order something online. Makes me wonder why they even collect the data in the first place...

You're right, you don't need the billing address to process a payment, although it's not true to say it's not used at all. Sometimes card companies do validate it, it depends on the type of transaction and the fraud profile. Often it's fuzzily matched, so name may not matter.

But you can also use it for other things: for example, fraud detection. Say your billing address is in New York, but your shipping address is to some Eastern European country. That's a big flag for fraud. So merchants collect it because they want to avoid damage to their bottom line.

But it seems like you can just give them your Eastern European address for both and get through just fine, no?

Correct me if I'm wrong, but Stripe does verify the zip code if the administrator of the account enables that.

People are confused how these checks work. Banks do not enforce AVS. On the auth, you'll get back status codes whether there was mismatch in the information. Its up to merchant to decide whether or not to put it into the settlement batch so the money is transfer. Regardless, the authorization went through and funds are on hold.

Most Stripe orders I've done lately don't even ask for my name. Correct me if I'm wrong. It's only the CC number, CVV, and expiration. Maybe it's different if the total charge is higher?

This was using their mobile API. Their SDK allows for a name param.

> Last year I was testing Stripe integration. I tried using my own credit card with a fake name.

This sounds like a great way to get your account shut down.

They provide test/mock APIs for a reason.

That's a good point, hellbanner should have used the test API, but this is still troubling. First, due to the lack of the communication and a proper ticket system from Stripe. Second (and more troubling), the idea that someone could maliciously cause you to lose the ability to process payments on your site simply by submitting a bunch of fake (or half-fake) transactions.

Creating a system that processes payments can be an involved process, requiring significant development effort, even when using API and libraries like Stripe provides. It seems like Stripe should only be shutting people down as a last resort, after repeated warnings with a clear way on how to fix the problem. This is also just good business practice. No one wants to be shut down without a good reason and without any recourses for appeal or reconciliation.

I'm willing to wager that a huge number of Credit Card transactions are submitted with names that don't match the credit card. In 10+ years and hundreds (thousands?) of transactions, I've never submitted a credit card transaction that matched the name on my card (which has my full name, and I just use my first and last name in the fields) - I've never been rejected.

It's the "using my own credit card" that sounds like a great way to get your account shut down, not using it with a fake name. Charging your own cards is something payment processors don't like for a number of reasons, like the fact that it can be used to perpetrate all kinds of frauds: giving yourself cash advances the card issuer hasn't approved, gaming credit card reward programs, skewing your volume and reversal metrics the processor uses to evaluate your account risk, etc.

I wanted to verify their production code worked. Instead of using a real customer's credit card, I used my own. If there was a bug in my code, my own card would be at risk, not a customer's.

It would be nice if stripe offered name & address as an option to help prevent fraud, but they probably won't require it any time soon.

It may be odd for a company of their size to skip validating name & address, but I don't think this is unusual. I've implemented several medium-to-large payment processing systems and the processors didn't care about name & address -- they just wanted the numbers on the card.

That's how credit card processing works and it pretty much works fine. Names are not checked, which is fine because they have no bearing on anything. Addresses (and CSCs) are almost always checkable and almost always checked but merchants can decide what to do with the results depending on their business.

When I used to process credit cards for MetLife it would always error out if I messed up the name or address. This was only about a year ago. I forgot what system we were using, but just thought I would mention it.

Name is not validated and seems useless to even collect. However both billing Address line 1 and Zip code can be validated by processors, including Stripe.

Actually collecting a name can be valuable piece of data when combating fraud. Having as much personal data (name, address, phone, CVV, IP address) about the person making the charge can be used as evidence in disputes if you ever need to defend yourself against a chargeback.

yeah, but Line 1 is considered unreliable and stripe doesn't automatically use it - they have an API to let you know if line 1 fails, but you have to cancel the transaction yourself

The issue with AVS is that it only matches numbers (so 123 Main Street and 123 Maple Street could both return true). The other issue is apartment numbers. If the address on file is 123 Main Street #123 but the customer puts #123 on line 2 in your form is that a match or not?

our billing team has noticed this. Pretty crazy

It's not really crazy, it comes down to what data you have from upstream. It's not like you are swiping a card and have access to the magstripe data. With AVS it's only Amex that bothers with the cardholder's name.

usually it's because when you're buying something it needs to be delivered ;)